Getting root on a Sony TV

The Sony Bravia series of HDTVs are a great piece of kit; they’re nice displays that usually have enough inputs for the craziest home theatre setups. These TVs also run Linux, but until now we haven’t seen anything that capitalizes on the fact these displays are wall-mounted Linux boxen. [Sam] sent in an exploit to root any Bravia TV – hopefully the first step towards replacing our home media server.

The exploit itself is a regular buffer overflow initialized by a Python script. The script sets up a Telnet server on any Sony Bravia with a USB port, and provides complete root access. [Sam] was able to get a Debian install running off a USB drive and all the Debian programs run correctly.

If you have a Bravia you’d like to test [Sam]’s script on, you’ll need a USB network adapter for the TV and a Telnet client to explore your TV’s file system. Right now there’s not much to do with a rooted Bravia, but at least now running XMBC or other media server on a TV is possible.

If anyone would like to start porting XMBC to a Bravia TV, [Sam] says he’s more than willing to help out. We’re not aware of any HDTV modding communities on the Internet, so if you’re part of one post a link in the comments.

I popped open my LG TV a while back to repair some blown caps in the PSU, I found a TTL level serial port and investigated. It too runs a MIPS chip and boots Linux. I fired off an email to LG and they actually sent me the source code. Never went anywhere with it but it was interesting to see Linux in such an unexpected place.

If anyone is interested, I did a teardown of a sony bravia a while ago, and I still have the components, so if I can help in any way by taking more detailed pictures (D5100 now), or sending actual boards, feel free to contact me! I would be happy to help! :)

This telnets to port 12345 on the TV to run a few commands. The port is open on my Bravia KDL52W5150 (a couple years old). I discovered port 12345 with wireshark a few years ago, but couldn’t find any documentation on the password. Interestingly enough, I still can’t find any info on the password on the Internet, but it’s in the python script: “gemstar”.

I can verify that this isn’t working on a KDL52W5150. It’s able to log into the tv, but fails on the cp command.

Weird, I’ve been messing with the CLI for a bit and I’m magically able to copy folders now. I did run the command “reset exception”, which I believe emulates an exception and causes the TV to reboot. I’m not sure if that has anything to do with why I’m able to copy folders now. Also, keep in mind that I have no idea what any of these commands actually do, so try them at your own risk. I think I’m at the point where I need to cross-compile busybox for mipsel. The pre-compiled version on busybox’s website does not work, see the output below when using that version.

That can happen if you compile busybox without the “FEATURE_PREFER_APPLETS” configuration item set. I would suggest either building from my config file in the repository (busybox/config) or using the precompiled version in nimue-0.1.tar.bz2

The awesome thing is, if you’ve made it this far, the exploit is already working for you. What is your TV and firmware version so I can record this in the docs?

Neat, but it’s probably cheaper to jailbreak an appletv and hook it it up to a cheap hdtv. Are the sound and graphics chip already recognized? It might be possible to create a custom kernel, boot and flash (or brick) the tv with it so mplayer can be play directly on the tv itself.

Wondered if there was a way get root on it, the user manual/license thingy says it uses a lot of different open source SW. Also think I’ll disable SW updates on my TV for now, just in case they fix it and roll out a firmware update.

Hopefully the internet connected Sanyo tv’s will be next. (Although since there aren’t many out there, I won’t expected it.) Currently they only have netflix, vudu, pandora and then some other mostly useless stuff…

Similar thinking here. I’ll also add that Sony has pretty much abandoned their product with lousy support. So far there’s been very little use of the ethernet port on the TV I bought. Sony has no dev kit to work with. The previous version was Japanese only and abandoned a short time after it was released. The TV can see my see my dlna server but it’s so limited in what it can view (need the exact audio & video codecs in the correct format). Too bad they failed to understand that by doing something like an Android phone they would have had a fun and useful product.

I have a European KDL-32V5500 from 2009 with the latest (withdrawn) firmware: 1.750EA. If I understand it right, when I boot the TV with a USB drive, it should execute nimue.py from the root (so has a Python interpreter and looking for this magic file) which should inject the required payloads, start the busybox/busybox binary and look for Telnet access?

Tried it with a few modifications (busybox binary in the root), but nothing happened. Tried to Telnet into the TV (have a wired connection through a router, not really useful but I can transcode stuff from PS3 Media Server, so probably there are no firewalled ports and I assume this connection isn’t worse than a wireless one with a USB adapter) with PuTTY and Windows Telnet on port 23 and port 12345, but there was no answer or prompt for the password.

Got it after reading the second time, unfortunately jumped on it too quickly, thought that it’s a plug and play solution, and there was no way to cancel my stupid comment. :(

The port was correct, the setup wasn’t, either the vulnerability was removed from the EU firmwares or is only exploitable the described way with a USB network adapter. (And the Python script exited with an error under the latest Windows install, so I wasn’t able to run it. Anyway since port 12345 isn’t open for me, I guess it would be useless on my setup.)

I hope things will lead somewhere, and a more useful custom firmware will pop out one day. Sony really abandoned the 2009 EU models right after the release.

I’ve tried to telnet with ports from 1 to 65535
I’ve made bash loop for this and telnet was successfull only on open ports but these ports were 80 2 ports of upnp and 1 port 52323/tcp I don’t know what this is ….

open ports on my TV (LAN and WiFi)
PORT STATE SERVICE
80/tcp open http
8963/tcp open unknown
9784/tcp open unknown
52323/tcp open unknown

Check the Downloads link on the nimue github page for a .tgz containing a ready-made busybox. If this doesn’t meet your needs, you must set up a cross-compilation environment for mips and build your own.

Sony have probably closed any backdoors, as linux is getting more known and they get smarter. Linksys as interface with any tv is better and the interfaces are geting cheap as miniX for $70, with allthe programmability and software linux can supply with full internet connectivity.

3 things why you want to run it native on the TV
1. Same remote for all funtions.
2. Same interface for TV and media player
3. No Cables for external device such as HDMI & power
all in all higher WAF factor with integrated linux xmbc